标签:
openssl升级步骤:
环境CentOS
1 wget http://www.openssl.org/source/openssl-1.0.2a.tar.gz 2 tar zxvf openssl-1.0.2a.tar.gz 3 cd openssl-1.0.2a 4 ./config --prefix=/usr/local/ssl 5 make && make install 6 mv /usr/bin/openssl /usr/bin/openssl.OFF 7 mv /usr/include/openssl /usr/include/openssl.OFF 8 ln –s /usr/local/ssl/bin/openssl /usr/bin/openssl 9 ln –s /usr/local/ssl/include/openssl /usr/include/openssl 10 echo "/usr/local/ssl/lib">>/etc/ld.so.conf 11 ldconfig -v 12 openssl version -a
检查是否有【Openssl FREAK 中间人劫持漏洞】命令:
openssl s_client -connect m.mash5.cn:443 -cipher EXPORT
openssl s_client -connect 121.199.43.97:443 -cipher EXPORT
tomcat解决方案:(tomcat用户,推荐)
打开tomcat的配置文件server.xml,在SSL对应的<Connector>中添加下列属性:
tomcat 5,6:
SSLEnabled="true"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
tomcat >=7:
SSLEnabled="true"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
修改完毕后,请重启tomcat服务。
标签:
原文地址:http://www.cnblogs.com/caotianyulu/p/4381258.html
